From 4e5b8be0de8f73a85730a98b384fd441a124ac7a Mon Sep 17 00:00:00 2001
From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Date: Mon, 12 Jan 2026 09:01:32 -0500
Subject: [PATCH] [Rule Tuning] New Okta Authentication Behavior Detected
 (#5542)

* [Rule Tuning] New Okta Authentication Behavior Detected
Fixes #5541

* tuning New Okta Authentication Behavior Detected

* Update rules_building_block/initial_access_new_okta_authentication_behavior.toml

* updated tag, adjusted lookback window
---
 ...l_access_new_okta_authentication_behavior.toml | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)
 rename rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml => rules_building_block/initial_access_new_okta_authentication_behavior.toml (94%)

diff --git a/rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml b/rules_building_block/initial_access_new_okta_authentication_behavior.toml
similarity index 94%
rename from rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml
rename to rules_building_block/initial_access_new_okta_authentication_behavior.toml
index e9c89d825..3333bc42b 100644
--- a/rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml
+++ b/rules_building_block/initial_access_new_okta_authentication_behavior.toml
@@ -1,15 +1,16 @@
 [metadata]
+bypass_bbr_timing = true
 creation_date = "2023/11/07"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2025/07/02"
+updated_date = "2026/01/08"
 
 [rule]
 author = ["Elastic"]
+building_block_type = "default"
 description = "Detects events where Okta behavior detection has identified a new authentication behavior."
-from = "now-30m"
-index = ["filebeat-*", "logs-okta*"]
-interval = "15m"
+from = "now-9m"
+index = ["logs-okta.system-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "New Okta Authentication Behavior Detected"
@@ -53,14 +54,16 @@ references = [
     "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
     "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
 ]
-risk_score = 47
+risk_score = 21
 rule_id = "260486ee-7d98-11ee-9599-f661ea17fbcd"
-severity = "medium"
+severity = "low"
 tags = [
     "Use Case: Identity and Access Audit",
     "Tactic: Initial Access",
     "Data Source: Okta",
     "Resources: Investigation Guide",
+    "Rule Type: BBR",
+    "Domain: Identity"
 ]
 timestamp_override = "event.ingested"
 type = "query"